[LARTC] Multipath routing + traffic separation problem.

[LARTC] Multipath routing + traffic separation problem.

[Laurent LAVAUD]

[-- Attachment #1: Type: text/plain, Size: 1746 bytes --]

Hello,

I have set up a multipath gateway.
System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11.

here is the setup:


firewall:/# ip rule
0:      from all lookup local 
100:    from all lookup main 
152:    from all fwmark       10 lookup wan1 
153:    from all fwmark       20 lookup wan2 
201:    from 213.223.96.121 lookup wan1 
202:    from 82.236.230.217 lookup wan2 
1000:   from all lookup away 

Fw-cgarp:/etc/firegate# ip route ls table wan1
default via 213.223.96.122 dev eth0  src 213.223.96.121 
prohibit default  metric 1 

Fw-cgarp:/etc/firegate# ip route ls table wan2
default via 82.236.230.254 dev eth3  src 82.236.230.217 
prohibit default  metric 1 

Fw-cgarp:/etc/firegate# ip route ls table away
default 
  nexthop via 82.236.230.254  dev eth3 weight 1
  nexthop via 213.223.96.122  dev eth0 weight 1

Fw-cgarp:/etc/firegate# iptables-save -t mangle
# Generated by iptables-save v1.2.11 on Wed Apr  6 11:57:06 2005
*mangle
:PREROUTING ACCEPT [3281:1066576]
:INPUT ACCEPT [411:32992]
:FORWARD ACCEPT [2870:1033584]
:OUTPUT ACCEPT [339:63745]
:POSTROUTING ACCEPT [3195:1096657]
-A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa 
-A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14 
COMMIT
# Completed on Wed Apr  6 11:57:06 2005



So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection.
I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to be balanced between the two connections...

If someone see the problem ?
Thx in advance.

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Multipath routing + traffic separation problem.

[Nguyen Dinh Nam]

[-- Attachment #1.1: Type: text/plain, Size: 2386 bytes --]

Your settings seem to be correct, I just don't know why you don't want
to balance http, https and ftp traffic between both connections? 

About the bug, I haven't used linux 2.4 for a long time, for 2.6, fwmark
is in hexa, so be careful with 10 vs. 0xa, you'd better use values less
than 0xa to avoid confusing.

Also make sure that no default route is added to your main table.


On Wed, 2005-04-06 at 12:09 +0200, Laurent LAVAUD wrote:

> Hello,
> 
> I have set up a multipath gateway.
> System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11.
> 
> here is the setup:
> 
> 
> firewall:/# ip rule
> 0:      from all lookup local 
> 100:    from all lookup main 
> 152:    from all fwmark       10 lookup wan1 
> 153:    from all fwmark       20 lookup wan2 
> 201:    from 213.223.96.121 lookup wan1 
> 202:    from 82.236.230.217 lookup wan2 
> 1000:   from all lookup away 
> 
> Fw-cgarp:/etc/firegate# ip route ls table wan1
> default via 213.223.96.122 dev eth0  src 213.223.96.121 
> prohibit default  metric 1 
> 
> Fw-cgarp:/etc/firegate# ip route ls table wan2
> default via 82.236.230.254 dev eth3  src 82.236.230.217 
> prohibit default  metric 1 
> 
> Fw-cgarp:/etc/firegate# ip route ls table away
> default 
>   nexthop via 82.236.230.254  dev eth3 weight 1
>   nexthop via 213.223.96.122  dev eth0 weight 1
> 
> Fw-cgarp:/etc/firegate# iptables-save -t mangle
> # Generated by iptables-save v1.2.11 on Wed Apr  6 11:57:06 2005
> *mangle
> :PREROUTING ACCEPT [3281:1066576]
> :INPUT ACCEPT [411:32992]
> :FORWARD ACCEPT [2870:1033584]
> :OUTPUT ACCEPT [339:63745]
> :POSTROUTING ACCEPT [3195:1096657]
> -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa 
> -A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14 
> COMMIT
> # Completed on Wed Apr  6 11:57:06 2005
> 
> 
> 
> So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection.
> I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to be balanced between the two connections...
> 
> If someone see the problem ?
> Thx in advance.
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[-- Attachment #1.2: Type: text/html, Size: 3922 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE : [LARTC] Multipath routing + traffic separation problem.

[Laurent LAVAUD]

[-- Attachment #1: Type: text/plain, Size: 3662 bytes --]

hello,

first thx for your answer.

i have also tried with others marks under 10 to avoid confusion between decimal and hexa => same result.
i confirm that no default route are present in my main table, only routes for the LAN and DMZ networks.

and the reason why i want the http(s) and ftp traffic not to be balanced is for "political reason", i install several firewall for differents client and each one have their proper wish ;)

i really dont understand where the problem is.
if i use the ip filter capabilities (from, to, iif), the traffic is correctly routed, but with the netfilter mark it dont works...

i checked packets stats with iptables to see if traffic going through the mangle rules and it seems to be ok, and with the realms mark i check if the routing rule is read and it seems to be ok too...


> -----Message d'origine-----
> De : Nguyen Dinh Nam [mailto:64vn@cardvn.net] 
> Envoyé : jeudi 7 avril 2005 02:55
> À : Laurent LAVAUD
> Cc : lartc@mailman.ds9a.nl
> Objet : Re: [LARTC] Multipath routing + traffic separation problem.
> 
> 
> Your settings seem to be correct, I just don't know why you don't want to balance http, https and ftp > traffic between both connections? 
> 
> About the bug, I haven't used linux 2.4 for a long time, for 2.6, fwmark is in hexa, so be careful with 10 vs. 0xa, you'd better use values less than 0xa to avoid confusing.
> 
> Also make sure that no default route is added to your main table.
> 
> 
>>  On Wed, 2005-04-06 at 12:09 +0200, Laurent LAVAUD wrote: 
>>  Hello,
>>  
>>  I have set up a multipath gateway.
>>  System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11.
>>  
>>  here is the setup:
>>  
>>  
>>  firewall:/# ip rule
>>  0:      from all lookup local 
>>  100:    from all lookup main 
>>  152:    from all fwmark       10 lookup wan1 
>>  153:    from all fwmark       20 lookup wan2 
>>  201:    from 213.223.96.121 lookup wan1 
>>  202:    from 82.236.230.217 lookup wan2 
>>  1000:   from all lookup away 
>>  
>>  Fw-cgarp:/etc/firegate# ip route ls table wan1
>>  default via 213.223.96.122 dev eth0  src 213.223.96.121 
>>  prohibit default  metric 1 
>>  
>>  Fw-cgarp:/etc/firegate# ip route ls table wan2
>>  default via 82.236.230.254 dev eth3  src 82.236.230.217 
>>  prohibit default  metric 1 
>>  
>>  Fw-cgarp:/etc/firegate# ip route ls table away
>>  default 
>>    nexthop via 82.236.230.254  dev eth3 weight 1
>>    nexthop via 213.223.96.122  dev eth0 weight 1
>>  
>>  Fw-cgarp:/etc/firegate# iptables-save -t mangle
>>  # Generated by iptables-save v1.2.11 on Wed Apr  6 11:57:06 2005
>>  *mangle
>>  :PREROUTING ACCEPT [3281:1066576]
>>  :INPUT ACCEPT [411:32992]
>>  :FORWARD ACCEPT [2870:1033584]
>>  :OUTPUT ACCEPT [339:63745]
>>  :POSTROUTING ACCEPT [3195:1096657]
>>  -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa 
>>  -A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14 
>>  COMMIT
>>  # Completed on Wed Apr  6 11:57:06 2005
>>  
>>  
>>  
>>  So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection.
>>  I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with > the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to > be balanced between the two connections...
>>  
>>  If someone see the problem ?
>>  Thx in advance.
>>  _______________________________________________
>>  LARTC mailing list
>>  LARTC@mailman.ds9a.nl
>>  http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc